Eventia Suite. Getting Started Guide. Version: NGX R January 10, 2007

(1)

Eventia Suite

Getting Started Guide

Version: NGX R63

702215January 10, 2007 TM

(2)

(3)

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

(4)

(5)

Table of Contents 5

Chapter 1 Architecture

Overview ... 8

Data Analysis and Event Identification ... 10

Event Management... 11

Eventia Analyzer Client ... 11

Log Consolidation... 11

Eventia Reporter Generator ... 11

Eventia Reporter Client ... 12

Interoperability with SmartCenter... 12

Check Point Licenses ... 12

Chapter 2 Installing the Eventia Suite

Introduction... 16

Installation ... 17

Windows Platform ... 17

Solaris, Linux and SecurePlatform ... 19

Enabling Connectivity Through a Firewall... 21

Preparing Eventia Suite in SmartCenter... 23

Preparing Eventia Suite on Provider-1 MDS ... 25

For Provider-1/SiteManager-1 Version R55 ... 25

For Provider-1/SiteManager-1 Version R60 ... 27

(6)

Chapter 3 Initial Configuration

Introduction to Initial Configuration ...32

Enabling Connectivity with Provider-1/SiteManager-1 ...33

Configuring the Eventia Suite Clients ...34

Installing the Eventia Suite Clients ... 35

Define the Internal Network for Eventia Analyzer ... 35

Creating a Consolidation Session for Eventia Reporter... 37

Defining Correlation Units and Log Servers for Eventia Analyzer 38 Incorporating Third-Party Devices ...39

Syslog Devices ... 39

Windows Events ... 40

SNMP Traps ... 43

Chapter 4

(7)

7

Chapter

1

Architecture

In This Chapter

Overview page 8

Data Analysis and Event Identification page 10

Event Management page 11

Eventia Analyzer Client page 11

Log Consolidation page 11

Eventia Reporter Generator page 11

Eventia Reporter Client page 12

Interoperability with SmartCenter page 12

(8)

Overview

Eventia Suite has several components that work together to help track down security threats and make your network more secure:

• Correlation Unit, which analyzes log entries on Log Servers

• Eventia AnalyzerTM Server, which contains the Events Database

• Eventia Analyzer Client, which manages Eventia Analyzer

• Eventia ReporterTM Server, which contains the Reporter Database.

• Eventia Reporter Client, which manages the Reporter. They work together in the following manner:.

• The Correlation Unit analyzes each log entry as it enters a Log Server, looking for patterns according to the installed Event

Policy. The logs contain data from both Check Point products

and certain third-party devices. When a threat pattern is identified, the Correlation Unit forwards what is known as an event to the Eventia Analyzer Server.

(9)

Overview

Chapter 1 Architecture 9

• The Eventia Reporter Client allows the creation of Log Consolidation sessions and allows the users to edit, schedule and generate reports. It also enables users to manage the Eventia Reporter Server.

The Eventia Suite components can be installed on a single machine or spread out over multiple machines and sites to handle higher volumes of logging activity.

(10)

Data Analysis and Event Identification

Depending on the volume of logging activity and load on the machines, you may want to install multiple Correlation Units, each of which can analyze the logs of multiple Log Servers. You may also wish to install the Eventia Reporter server on a separate machine from the Eventia Analyzer Server.

Data Analysis and Event Identification

The Correlation Unit is responsible for identifying events, which it does by analyzing log entries. When analyzing a log entry, the Correlation Unit does one of the following:

• Marks log entries that by themselves are not events, but may be part of a larger pattern to be identified in the near future.

• Takes a log entry that meets one of the criteria set in the Events

Note - If the Eventia Analyzer is installed without Eventia

Reporter some Eventia Reporter components are installed to enable the generate of Eventia Analyzer reports. The Eventia Reporter Client will only contain Eventia Analyzer reports.

(11)

Event Management

Chapter 1 Architecture 11

Event Management

The Eventia Analyzer Server receives all the items that are identified as an event by the Correlation Unit(s). Further analysis takes place on the Eventia Analyzer Server to determine the severity level of the event and what action should take place. The event is then stored in the system database.

Eventia Analyzer Client

The Eventia Analyzer Client is used to configure the system, define the rules and monitor the events. The Eventia Analyzer Client interacts with the Eventia Analyzer Server and database.

Log Consolidation

The Log Consolidator reads the logs from the log servers and stores relevant logs in the Eventia Reporter database. The logs that are stored and the level of consolidation can be configured through the consolidation policy that is found in SmartDashboard.

Eventia Reporter Generator

The Eventia Reporter Generator generates reports on demand or on schedule as defined in the Eventia Reporter Server. After a report is generated it is stored on the server and can be distributed to a web server, sent via email or distributed in a custom manner.

(12)

Eventia Reporter Client

The Eventia Reporter Client is used to:

• access and schedule reports

• customize report definitions

• create consolidation sessions

• manage space on the Eventia Reporter database

• manage memory allocation

Interoperability with SmartCenter

Eventia Suite imports certain objects from the SmartCenter Server to define the internal network without having to recreate the objects in the Eventia Reporter and Eventia Analyzer. Changes made to the objects on the SmartCenter Server are reflected in the Eventia Clients.

(13)

Check Point Licenses

Chapter 1 Architecture 13 In order to purchase the required Check Point products, contact your reseller.

Check Point software that has not yet been purchased will work for a period of 15 days. You are required to go through the User Center in

order to register this software.

1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center at

http://www.checkpoint.com/usercenter.

The Certificate Key activation process consists of:

• adding the Certificate Key

• activating the products

• choosing the type of license

• entering the software details

Once this process is complete, a License Key is created and made available to you.

2. Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to:

• read the End Users License Agreement and if you accept it, select Yes.

• import the license that you obtained from the User Center for the product that you are installing.

Licenses are imported via the Check Point Configuration Tool. The License Keys tie the product license to the IP address of the Eventia Analyzer Server. This means that:

• Only one IP address is needed for all licenses.

• All licenses are installed on the Eventia Suite Server. • Correlation Units are licensed by the number of units that

(14)

(15)

15

Chapter

2

Installing the Eventia Suite

In This Chapter

Introduction page 16

Installation page 17

Enabling Connectivity Through a Firewall page 21 Preparing Eventia Suite in SmartCenter page 23 Preparing Eventia Suite on Provider-1 MDS page 25

(16)

Introduction

This chapter covers installing Eventia Suite which is comprised of the following:

• Eventia Reporter which consists of the Eventia Reporter Server and the Eventia Reporter Client.

• Eventia Analyzer which consists of the Eventia Analyzer Server, Correlation Unit and the Eventia Analyzer Client.

For Hardware Requirements and Supported Platforms please refer to the NGX R63 Release Notes document.

This installation process consists of three phases: 1. Install Eventia Suite

2. Prepare Eventia Suite in SmartCenter 3. Configuring Eventia Suite

To perform steps 2 and 3 refer to the “Initial Configuration” on page 31.

(17)

Installation

Chapter 2 Installing the Eventia Suite 17

Installation

In This Section

Windows Platform

The Eventia Suite is installed on top of a log server and therefore the installation consists of two components:

• Log Server Package found under the <

platform>/CPvpn

folder on the installation disk.

• Eventia Suite Package found under the

<

platform>/EventiaSuite

folder on the installation disk.

To install the Log Server package perform the following on the machine that will hold the Eventia Suite:

1. Login as an administrator.

2. Go to the directory

windows\CPvpn

and double-click the

setup.exe

.

The Installation Wizard begins.

3. Click Next and Yes to accept the agreement.

4. In the Destination Location window verify that the location of the Log Server is correct and click Next.

5. Click OK to finish the installation.

Windows Platform page 17

Solaris, Linux and SecurePlatform page 19

Note - Eventia Suite is installed on a separate machine than

(18)

Installation

To install the Eventia Suite package perform the following on the machine that contains the Log Server package:

1. Login as an administrator.

2. Go to the directory

windows\EventiaSuite

and double-click the

setup.exe

.

The Installation Wizard begins.

3. Click Next and Yes to accept the agreement.

4. Select the components you wish to install (Eventia Reporter,

Eventia Analyzer Server and/or Correlation Unit) and click Next.

5. In the Destination Location window verify that the location of the Eventia Suite package is correct and click Next.

Select a disk that has a lot of space since this is the location of your Eventia Reporter database.

The Check Point Configuration program, CPConfig, opens. 6. Select Add to enter the Product License information provided by

(19)

Installation

Chapter 2 Installing the Eventia Suite 19 10. To complete the installation of Eventia Reporter and continue

with the next phase of the installation, select Yes and click

Finish to reboot the machine.

Solaris, Linux and SecurePlatform

The installation for Solaris and Linux systems is nearly identical. Where it is not, the instructions detail the differences.

1. _{On Linux:}

a. Login as root.

b. run the command

rpm -i

_<mount

point>

/linux/CPvpn/CPsuite-R63-00.i386.rpm

c. run the command

rpm -i

<mount

point>

/linux/EventiaSuite/CPrt-R63-00.i386.rpm

On Solaris:

a. Login as root.

b. CD to a temporary directory and extract the packages

<mount point>

/solaris2/CPvpn/CPsuite.tgz and

<mount point>

/solaris2/EventiaSuite.tgz

with the following command:

gtar xvfz

<path_to_the_package>

Enter the command

pkgadd -d ./

and install both the cpsuite and Eventia Suite packages.

On SecurePlatform:

a. Insert the installation CD into the disk drive. b. Reboot.

c. Follow the steps that appear.

Note - Installing SecurePlatform reformats the computers hard

(20)

Installation

For additional details refer to the SecurePlatform User Guide. 2. Log out and log in again.

On SecurePlatform login with username admin and pasword admin. Since this is the initial username and password you will be prompted to change the password.

3. Run the command

cpconfig

.

4. Read the License Agreement and, if you accept, type Y to continue.

5. In the next window that appears select the components you wish to install (Eventia Reporter, Eventia Analyzer Server and/or Correlation Unit) and select Next

6. Enter the license information you received from Check Point or use the 15-day evaluation license.

7. Add an administrator for the Eventia Suite by typing Y and entering the administrator name and password. Then set permissions for the administrator. Add more administrators if you like, and then type N to advance to the next screen. 8. To configure GUI Clients, type Y and enter the IP addresses of

(21)

Enabling Connectivity Through a Firewall

Enabling Connectivity Through a

Firewall

Certain additions to the Rule Base need to be made if a Firewall exists between any Eventia Suite components and the Management Server, and either of the following conditions apply:

• the management is prior to NGX (R60)

• the implied rules have been disabled

If either of these conditions is true, modify the Rule Base to enable connectivity between components as follows:

Table 2-1 Additions to the Rule Base to Enable Connectivity

Source Destination Service

Eventia Analyzer Client Eventia Analyzer Server CPMI Eventia Reporter Client Eventia Reporter Server CPMI Management Server Eventia Analyzer

and Reporter Server

CPMI, FW1_ica_push Eventia Analyzer

Server

Management Server FW1_sam Eventia Analyzer

Server

Correlation Unit CPD, CPD_amon Correlation Unit Eventia Analyzer

Server

CPD_seam (TCP/18266) Third-party devices

that issue syslog messages

Log Server enabled to receive syslog messages

(22)

Enabling Connectivity Through a Firewall

For NGX SmartCenter R60 the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer

components and the Management Server:

(23)

Preparing Eventia Suite in SmartCenter

Preparing Eventia Suite in

SmartCenter

1. Launch SmartDashboard.

2. Create a new host for each Eventia Suite machine that contains an Eventia Suite component:

Manage > Network Object > New > Check Point > Host

3. In the General Properties window, click Communication and enter the activation key.

4. The version is not automatically entered if the Eventia Suite’s version is newer than SmartCenter. If so, select the most recent version available from the Version drop-down list.

5. In the Check Point product list, select the appropriate Eventia Suite component that you installed on the host that you created in step 2. If the SmartCenter version is pre-NGX, select both SmartView Reporter and Log Server in place of Eventia Analyzer Server or Eventia Correlation Unit.

Note - If the SmartCenter Server and Eventia Suite are

installed on either side of a firewall, add a rule to the firewall that allows SIC communication between the two.

(24)

Preparing Eventia Suite in SmartCenter

6. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) to make the Eventia Suite functional.

7. In order to enable the Eventia Analyzer Server to block attacks from specific IP addresses, the Management Server must be configured to accept

SAM

commands from the Eventia Analyzer Server. On the Management Server, edit the file

sic_policy.conf

, which is located in the directory

$CPDIR\conf

. Search for the section

[Inbound rules]

, and add the following line under

# sam proxy

:

DN_Mgmt ; Reporting_Tool; ANY; sam ; sslca

8. From the command line in the Management Server machine run the following commands:

cpstop

cpstart

(25)

Preparing Eventia Suite on Provider-1 MDS

Preparing Eventia Suite on Provider-1

MDS

Preparing Eventia Suite on Provider-1 MDS varies according to the version you are currently working with. Refer to the appropriate section below based on your version of Provider-1.

For Provider-1/SiteManager-1 Version

R55

In Provider-1/SiteManager-1 R55, Eventia Suite can read the logs of multiple CMAs with the use of putkey operations.

1. In the Provider-1/SiteManager-1 Global SmartDashboard, create a

Check Point Host Object

, name it, enter its IP address and enable the product

SmartView Reporter

.

2. Select

Communication

and enter the activation key you created during installation. Select

Initialize

to establish

communication.

3. Select

Close

and

OK

.

4. From the

File

menu, select

Save

.

5. From the MDG, install Global Policy on all CMAs participating with Eventia Suite.

6. For each CMA participating with Eventia Suite, open its SmartDashboard, select

Policy > Install Database

, and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs.

7. From the command line of the Eventia machine run the following commands:

Note - Do not run the

Get Version

operation. Instead, specify the most recent version possible.

(26)

a.

syslog -r

b.

cpstop

c.

cpstart

8. On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA, run the command

cpstop

.

9. Edit the file

sic_policy.conf

, which is located in the directory $

CPDIR/conf

. Search for the section

[Outbound

rules]

, and change the following lines from:

# for log_export tool and Abacus analyzer

ANY ;ANY ;ANY; lea ; sslca

to:

# for log_export tool,

Eventia Analyzer Provider-1

Note - Wait a couple of minutes for the objects to synchronize

(27)

Chapter 2 Installing the Eventia Suite 27 Add the following rule after these lines:

ANY ;ANY ;ANY; lea ; ssl

13. Run the command

mdsstart

.

14. Execute the

putkey

operation in the following manner: a. On the Eventia Suite machine, run

cpstop

and

fw

putkey -p [shared_password] [CMA_IP]

. b. On the MDS, while in the CMA environment, run

mdsstop_customer [CMA_IP]

and

fw putkey -p

[shared_ password] [Eventia Suite Server_IP]

c. Run

mdsstart_customer

[CMA_IP]

on the CMA. d. Run

cpstart

on the Eventia Suite machine.

For Provider-1/SiteManager-1 Version

R60

1. In Global SmartDashboard, create a

Check Point Host Object

, name it and enter its IP address.

2. Select

Communication

and enter the activation key you created during installation. Select

Initialize

to establish

communication.

Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA environment. To return to the MDS environment, enter the command

mdsenv

.

Note - Wait a few minutes for the putkey operation to complete.

Note - Do not run the

Get Version

operation. Instead, specify the most recent version possible.

(28)

Preparing Eventia Suite on Provider-1 MDS 3. Select

Close

and

OK

.

4. Make sure that the products

Eventia Reporter

is enabled. 5. From the

File

menu, select

Save

.

Policy > Install Database

, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.

8. From the command line of the Eventia machine run the following commands:

a.

syslog -r

b.

cpstop

c.

cpstart

Note - Wait a couple of minutes for the objects to synchronize

(29)

Chapter 2 Installing the Eventia Suite 29 3. Select

Close

and

OK

.

4. Make sure that the appropriate products (Eventia Reporter,

Eventia Analyzer Server, Eventia Correlation Unit

and

Log

Server)

are enabled.

5. In the properties of the new Host object, select

Log and

Masters > Additional Logging Configuration

, and enable the property

Accept Syslog messages

.

6. From the

File

menu, select

Save

.

Policy > Install Database

, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.

(30)

(31)

31

Chapter

3

Initial Configuration

In This Chapter

Introduction to Initial Configuration page 32 Enabling Connectivity with Provider-1/SiteManager-1 page 33 Configuring the Eventia Suite Clients page 34

(32)

Introduction to Initial Configuration

The various Eventia Suite components require secure internal communication (SIC) with the Management Server (either a

SmartCenter Server or a Provider-1/SiteManager-1 CMA). Instructions are in the section “Enabling Connectivity with

Provider-1/SiteManager-1” below.

Once connectivity is established, install the Eventia Suite and begin to configure the system. See “Configuring the Eventia Suite Clients” on page 34 for details.

(33)

Enabling Connectivity with Provider-1/SiteManager-1

Chapter 3 Initial Configuration 33

Enabling Connectivity with

Provider-1/SiteManager-1

1. Open the Eventia Analyzer client, go to

Policy

tab

> General

Settings > Objects > Customers

, and add all of the Customers with whom you will be working.

Objects will be synchronized from the CMAs – this may take some time.

2. Go to

Policy

tab

> General Settings > Objects > Network

Objects

, and add networks and hosts that are not defined in the CMAs.

3. Go to

Policy

tab

> General Settings > Initial Settings >

Internal Network

, and add the networks and hosts that are part of the Internal Network.

4. Go to

Policy

tab

>

General Settings > Initial Settings >

Correlation Units

, click

Add...

and select the Correlation Unit and its Log Servers. For traffic logs, select the relevant CLM or MLM Log Server; for audit logs, select the relevant CMA. 5. Install the Event Policy.

(34)

Configuring the Eventia Suite Clients

In This Section

The final stage of getting started with Eventia Suite is the installation and initial configuration of the Eventia Suite Clients. The workflow is as follows:

1. Install the Eventia Suite Clients 2. For Eventia Analyzer:

• Define the Internal Network and Correlation Units

• Install the Event Policy

Installing the Eventia Suite Clients page 35 Define the Internal Network for Eventia Analyzer page 35 Creating a Consolidation Session for Eventia Reporter page 37 Defining Correlation Units and Log Servers for Eventia Analyzer page 38

(35)

Installing the Eventia Suite Clients

The Eventia Suite Clients are supported on Windows platforms only. To install the Eventia Suite Clients, follow these instructions: 1. Insert the Eventia Suite CD into the CD-ROM drive. 2. Under the directory

\windows\CPclnt

run

setup.exe

. 3. The Installation Wizard begins. Select

OK

. 8. Select

Finish

.

Define the Internal Network for Eventia

Analyzer

To help Eventia Analyzer determine whether events have originated internally or externally, the Internal Network must be defined. Certain network objects are copied from the Management Server to the Eventia Analyzer Server during the initial sync and updated afterwards periodically. Define the Internal Network from these objects.

To define the Internal Network, do the following: 1. Start the Eventia Analyzer Client.

2. From the

Policy

view, select

General Settings > Initial

Settings > Internal Network

.

Note -

SmartView TrackerTM is used in conjunction with Eventia Analyzer.

(36)

Define the Internal Network for Eventia Analyzer

3. Add internal objects. Note - it is recommended to add all internal

Network

objects, and not

Host

objects.

(37)

Creating a Consolidation Session for Eventia Reporter

Creating a Consolidation Session for

Eventia Reporter

The Consolidation session reads logs from the log server and adds them to the Eventia Reporter database. If there is a single log server connected to SmartCenter a Consolidation session will automatically be created to read newly generated logs. If there is more than one log server connected to your SmartCenter Server, a Consolidation session will already be created to read the latest logs that are added to the log sequence.

When creating a Consolidation session you are determining the log server that should be used to extract information and the database table in which the consolidated information should be stored. 1. In the

Selection Bar

view, select

Management >

Consolidation

.

2. Select the

Sessions

tab.

3. Click the

Create New...

button to create a new session. The

New Consolidation Session - Select Log Server

window appears.

4. Select the log server from which logs will be collected and will be used to generate reports.

5. Click

New Consolidation Session - Select Log Files and

database for consolidation session

window appears. 6. Choose whether to use the default source logs and default

database tables or select specific source logs and specific database tables for consolidation.

If you select

Select default log files and database

click

Finish

to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected

(38)

Defining Correlation Units and Log Servers for Eventia Analyzer

logs are the sequence of log files that are generated by Check Point products. The preselected logs session will begin at the beginning of last file in the sequence or at the point the sequence was stopped. If you want to customize the Consolidation session refer to the Eventia

Reporter User Guide.

Defining Correlation Units and Log

Servers for Eventia Analyzer

1. From the

Policy

view of the Eventia Analyzer Client, select

General Settings > Initial Settings > Correlation Units

. 2. Select

Add

.

3. Click the

[...]

symbol and select a Correlation Unit from the displayed window.

4. Select

OK

.

5. Click

Add

and select the Log Servers available as data sources to the Correlation Unit from the displayed window.

(39)

Incorporating Third-Party Devices

In This Section

Syslog Devices

Various third-party devices use the syslog format for logging. Eventia Suite can process third-party syslog messages by reformatting the raw data. As the reformatting process should take place on Eventia machine, it is therefore recommended to enable a Log Server on one of them, and to direct all third-party syslog traffic there. Instructions are as follows:

1. On the Management Server, open SmartDashboard and edit the properties of the Eventia object. For that object only, enable the property

Log Server

under

Check Point Products

. For the purposes of this section, this object will be referred to as the “syslog Log Server.”

2. Open

Logs and Masters > Additional Logging

. 3. Enable the property

Accept Syslog messages

. 4. Select

Policy > Install Database

.

5. On the third-party device, configure syslogs to be sent to the syslog Log Server.

Syslog Devices page 39

Windows Events page 40

(40)

Windows Events

6. On the Management Server, enable the following rule in the Rule Base.

7. On the Eventia Analyzer Client, add the syslog Log Server to a Correlation Unit, if not already enabled. See “Defining Correlation Units and Log Servers for Eventia Analyzer” on page 38 for instructions.

8. Install Event Policy on the Eventia Analyzer Server. 9. Reboot the syslog Log Server.

Windows Events

Introduction

Check Point Windows Event Service is an application that runs as a

Third-party devices that issue syslog messages

syslog Log Server UDP syslog

(41)

Windows Events

Permissions

Check Point Windows Event Service is first installed as a service on the user's machine and the user provides a username and password. The username can be either that of a domain administrator of the machines whose Windows events will be read, or that of a local administrator on the machine that provides the Windows events. Check Point Windows Event Service requires trust to be established so it can communicate with the Log Server.

Installation

SmartDashboard

1. On the

OPSEC

tab, select

OPSEC Applications

, right click, select

New > OPSEC Application

.

2. Enter the name (which name?) 3. Click on

New

to create a Host.

4. Enter a name and the IP address of the machine that will run WinEventToCPLog, then select

OK

.

5. Under

Client Entities

, select

ELA

. 6. Select

Communication

.

7. Enter an Activation Key, repeat it in the confirmation line, and keep a record of it for later use.

8. Select

Initialize

. The system should report the trust state as

Initialized but trust not established.

9. Select

Close

. 10. Select

OK

.

(42)

Windows Events

Windows Machine

12. Install the package

WinEventToCPLog

from the Eventia Suite CD.

13. When the installation completes, restart the machine. 14. Open a command prompt window and go to the following

location:

C:\Program

Files\CheckPoint\WinEventToCPLog\R63\bin

15. Run the command windowEventToCPLog -pull_cert a. Enter the IP address of the management server

b. Enter the OPSEC Application object name you created in

step 2.

c. Enter the Activation Key that you used in step 7. 16. Restart the Check Point Windows Event Service.

17. If this machine is running a log server then install the Event Policy on this machine.

(43)

SNMP Traps

Chapter 3 Initial Configuration 43 23. Open a command prompt window and change to C:\Program Files\CheckPoint\WinEventToCPLog\ENF\WinEventToCPLog\bin 24. Run the following commands:

windowEventToCPLog -l <ipaddr>

, where

<ipaddr>

is the IP address of the Log Server that will receive the Windows Events.

windowEventToCPLog -a <ipaddr>

, where

<ipaddr>

is the IP address of each machine that will send Windows Events.

windowEventToCPLog -s

, where you will be prompted for an administrator name and the administrator password that will be registered with the

windowEventToCPLog

service.

SNMP Traps

To convert SNMP traps to the cplog format, the machine must first be registered as a server that accepts SNMP traps. Run the following commands on an Eventia machine:

1.

snmpTrapToCPLog -r

2. For each machine from which you want to read SNMP traps, run the command

snmpTrapToCPLog -a IPaddress

.

3.

cpstop

4.

cpstart

Note -

When configuring windowEventToCPLog so that it should read Windows events from a remote machine you need to check that the administrator that is registered with windowEventToCPLog has access to the remote machine’s events. A simple way to test this is to log in as the administrator and from this machine attempt to read the events from the remote machine using the Microsoft Event Viewer.

(44)

(45)

45

Chapter

4

Upgrading Eventia

To upgrade the Eventia Suite, see the Upgrade Guide available in the Docs directory of your installation CD.

(46)

(47)

Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected]

International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust

Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

(48)

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any

(49)

49 The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/ licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright

(50)

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

(51)

51 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

(52)

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or

(53)

53 Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.

(54)

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(55)

Index 55

C

connectivity via a firewall 21 Consolidation session 37 Correlation Unit analysis 10 defined 8 defining 38

D

devices third-party 39

E

event management 11 Eventia Analyzer Client 11

configuring 34 defined 8 installing 35

Eventia Analyzer Server 11 defined 8 Events Database 8

I

Internal Network defining 35 interoperability 12

L

Log Server defining 38 syslogs 39

P

Provider-1/SiteManager-1 integrating version R55 25 integrating version R60 27 integrating version R61 28

S

SAM commands 24 SmartCenter Server objects 12 SNMP Traps capturing 43 syslogs capturing 39

W

Windows Events capturing 40

(56)